The Point: An overlooked GitHub token following the TanStack attack enabled hackers to access Grafana’s private repositories. The company confirms: No customer data or production systems were affected.
A forgotten GitHub workflow token caused the Grafana data breach. Following the TanStack npm supply chain attack, the company overlooked a token during rotation, allowing attackers to access private repositories.
The Grafana security breach was triggered by a single GitHub workflow token that was overlooked during the rotation process following the TanStack npm supply chain attack. Dozens of TanStack packages, infected with credential-stealing code, had compromised the npm registry. When the malicious package was consumed by Grafana’s CI/CD workflow, the information stealer module in the GitHub environment resulted in the exfiltration of workflow tokens to the attackers.
The company discovered the malicious activity on May 1st and immediately initiated countermeasures, including the rotation of multiple GitHub workflow tokens. However, one token was overlooked during this process, giving the attackers access to Grafana’s private repositories. A subsequent review confirmed that a workflow initially assessed as uncompromised was actually affected.
Further investigation revealed that in addition to source code, the intruders had downloaded operational business information — including contact names and email addresses. However, Grafana emphasizes that no customer data or production systems were compromised. The codebase was not altered, so downloaded versions are safe. The company promises to notify affected customers immediately upon any new findings.